Sunday, November 21, 2010

The 5 Most Amazing Details of the Stuxnet Cyberbomb

The security firm Symantec continues to reverse-engineer the Stuxnet cyberworm and has confirmed that it is probably the most sophisticated infoweapon ever developed.

...there is now strong evidence linking the Stuxnet virus, which modifies code on SCADA and PLC control systems, to a state-sponsored attack on Iran’s nuclear enrichment programme...

The virus was found to attack only frequency converter drives – power supply units that can change the frequency of the output and control the speed of a motor – from two specific vendors, one based in Finland and the other in Tehran.

Stuxnet also requires the converter drives to be operating at very high speeds, between 807 Hz and 1210 Hz, which are used only in a limited number of applications. Interfering with the speed of the motors sabotages the normal operation of the industrial control process...

Efficient low-harmonic frequency converter drives that output over 600Hz are regulated for export in the US by the Nuclear Regulatory Commission as they can be used for uranium enrichment.

Symantec's analysis revealed the critical details of Stuxnet.

However, we can now confirm that Stuxnet requires the industrial control system to have frequency converter drives from at least one of two specific vendors, one headquartered in Finland and the other in Tehran, Iran. This is in addition to the previous requirements we discussed of a S7-300 CPU and a CP-342-5 Profibus communications module... The target system would potentially look something like the diagram below...

A frequency converter drive is a power supply that can change the frequency of the output, which controls the speed of a motor. The higher the frequency, the higher the speed of the motor...

[1] We are now able to describe the purpose of all of Stuxnet’s code.
[2] Stuxnet requires particular frequency converter drives from specific vendors, some of which may not be procurable in certain countries.
[3] Stuxnet requires the frequency converter drives to be operating at very high speeds, between 807 Hz and 1210 Hz. While frequency converter drives are used in many industrial control applications, these speeds are used only in a limited number of applications.
[4] Stuxnet changes the output frequencies and thus the speed of the motors for short intervals over periods of months. Interfering with the speed of the motors sabotages the normal operation of the industrial control process.
[5] Stuxnet’s requirement for particular frequency converter drives and operating characteristics focuses the number of possible speculated targets to a limited set of possibilities.

Stuxnet monitors the current operating frequency of these motors, which must be between 807 Hz and 1210 Hz, before Stuxnet modifies their behavior. Relative to the typical uses of frequency converter drives, these frequencies are considered very high-speed and now limit the potential speculated targets of Stuxnet... efficient low-harmonic frequency converter drives that output over 600Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment...

Once operation at those frequencies occurs for a period of time, Stuxnet then hijacks the PLC code and begins modifying the behavior of the frequency converter drives. In addition to other parameters, over a period of months, Stuxnet changes the output frequency for short periods of time to 1410Hz and then to 2Hz and then to 1064Hz. Modification of the output frequency essentially sabotages the automation system from operating properly. Other parameter changes may also cause unexpected effects.

Awesome.


2 comments:

Anonymous said...

But Tehran Bob assured us there was no problems

Frank G

Whitehall said...

While I'm no expert on enrichment, I would expect such behavior of periodically altering the centifuge speed as a way to "fatigue" the metal of the rotating cylinders.

This metal is already at its limits since we know that only special metallurgy works in this application.

If this works, looks to the rotors to blow up into shrapnel eventually.